CVE-2024-38140 Overview
CVE-2024-38140 is a remote code execution vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST), the kernel-mode driver (pgm.sys) that implements the Pragmatic General Multicast (PGM) protocol. The flaw is classified as a Use-After-Free [CWE-416] condition that an unauthenticated attacker can trigger over the network. Successful exploitation grants code execution in the context of the Windows kernel. Microsoft published the advisory on August 13, 2024, affecting a broad range of Windows client and server versions. The vulnerability requires no user interaction and no privileges, making it reachable by any host that can deliver crafted multicast traffic to a vulnerable system with an active PGM listener.
Critical Impact
An unauthenticated remote attacker can achieve kernel-level code execution by sending crafted PGM packets to a Windows system running a Message Queuing (MSMQ) service or other component bound to RMCAST.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-08-13 - Microsoft releases security update for CVE-2024-38140
- 2024-08-13 - CVE-2024-38140 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-38140
Vulnerability Analysis
The Reliable Multicast Transport Driver implements PGM, a multicast transport protocol used by Windows Message Queuing (MSMQ) for reliable one-to-many message delivery. The driver is reachable only when a process binds a socket using AF_INET/SOCK_RDM with the IPPROTO_RM protocol, most commonly through the MSMQ Multicast feature. When that binding exists, the driver parses inbound PGM packets directly in kernel mode.
The vulnerability is a use-after-free [CWE-416] in the packet processing path. The driver references a previously freed object during reassembly or session state management, allowing an attacker who controls the timing and content of PGM traffic to manipulate the freed allocation. Because parsing occurs in kernel context, exploitation results in code execution at ring 0.
Root Cause
The root cause is improper lifetime management of an internal object within pgm.sys. Under specific packet sequences, the driver releases the structure while another code path retains a pointer to it. Subsequent dereference of the dangling pointer reads or writes attacker-influenced memory, enabling kernel memory corruption.
Attack Vector
The attack vector is network-based and requires the target to have a process listening for PGM traffic, typically MSMQ with the Multicasting role enabled. The attacker sends a crafted sequence of PGM packets to the multicast group or directly to the host. No authentication, privileges, or user interaction is required. See Talos Intelligence Vulnerability Report TALOS-2024-2062 for protocol-level technical analysis.
Detection Methods for CVE-2024-38140
Indicators of Compromise
- Unexpected MSMQ or PGM-related processes spawning child processes or loading unsigned modules after inbound multicast traffic.
- Kernel crashes referencing pgm.sys in Windows Event Log or memory dumps, which may indicate failed exploitation attempts.
- Unsolicited PGM traffic (IP protocol 113) from untrusted network segments to hosts running MSMQ.
Detection Strategies
- Inventory systems with the MSMQ feature installed and confirm whether the Multicasting subcomponent is enabled, which exposes RMCAST.
- Monitor for inbound IP protocol 113 (PGM) packets to hosts that should not be receiving multicast queuing traffic.
- Capture and review Windows kernel bugchecks (BSOD codes referencing pgm.sys) for signs of exploitation attempts.
Monitoring Recommendations
- Alert on creation of listeners using IPPROTO_RM on unexpected hosts.
- Track changes to the MSMQ service state and registry keys under HKLM\SOFTWARE\Microsoft\MSMQ.
- Correlate kernel anomalies with network telemetry showing recent PGM traffic to detect probable exploitation windows.
How to Mitigate CVE-2024-38140
Immediate Actions Required
- Apply the August 2024 Microsoft security update for every affected Windows client and server version listed in the Microsoft Security Update CVE-2024-38140 advisory.
- Audit all hosts for the MSMQ feature and disable it where it is not required for business operations.
- Block inbound IP protocol 113 (PGM) at perimeter and internal segmentation firewalls, restricting it to authorized multicast senders only.
Patch Information
Microsoft addressed the use-after-free in pgm.sys through the August 13, 2024 Patch Tuesday cumulative updates. Refer to the Microsoft Security Update CVE-2024-38140 advisory for the specific KB article numbers corresponding to each Windows build. Apply the update through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Uninstall the Message Queuing Windows feature if it is not in active use, which removes the attack surface entirely.
- If MSMQ is required, disable the Multicasting subcomponent under MSMQ feature options to prevent the driver from accepting PGM traffic.
- Apply host firewall rules to drop inbound PGM (IP protocol 113) traffic from any source other than known multicast peers.
# Configuration example - disable MSMQ feature and block PGM traffic on Windows
# Remove the Message Queuing feature (requires reboot)
DISM /Online /Disable-Feature /FeatureName:MSMQ-Container /Remove
# Alternatively, block inbound PGM traffic (IP protocol 113) at the host firewall
New-NetFirewallRule -DisplayName "Block Inbound PGM (CVE-2024-38140)" `
-Direction Inbound -Protocol 113 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
